TrustedBSD Audit Project
Robert Watson
rwatson at FreeBSD.org
Tue Oct 9 17:26:35 GMT 2001
On Mon, 8 Oct 2001, Gersh wrote:
> From the mail that richard had sent out I rember a section saying
> something like.
>
> "The audit record has to be stored, or else the event cannot take
> place". I would assume that this means we have to be able to write the
> record to disk before the action can be allowde to take place.
>
> Im not sure what kind of performence impacts this will have.
It would be interesting to know what level of guarantee is required with
respects to the following concern:
(1) The event can only be allowed to take place if, baring certain
classes of system failure, the record will be committed.
(2) The event can only be allowed to take place once the record has been
committed.
Presumably (1), or every system call would take a disk write. (2)
requires a reserved space for records, and tracking how much of the
reserved space has been theoretically allocated. And you can imagine many
sites without "trusted system requirements" where the issue is not
committing the records to stable store, but rather, the ability for a
record processing system (such as IDS) to keep up with record generation.
Likewise, if audit log reduction is not taking place at the level of log
record generation (there isn't a commit protocol in place), the concerns
are different.
It sounds like the following approach might be reasonable:
- Large audit buffer in kernel, which if filled, requires audited
processes to be blocked until it can be drained. Note deadlock
considerations here. Probably also an administrative option to choose
"lose data" instead of "halt audited processes" for sites where this is
less of a consideration; make use of record sequence numbers so sites
accepting record loss can detect loss, and permit a few simple loss
policies ("lose oldest, lose newest" or the like)--you can imagine more
complex policies being supported in the future.
- Userland process, which can notify the kernel if the free store for
records approaches the size of the kernel buffer. In practice this
would consist of an invariant that the application wouldn't let the
kernel buffer exceed the size of the free record storage. The process
could adapt the kernel record limit based on a variety of activities
(reduction, compaction, recycling, compression..)
Robert N M Watson FreeBSD Core Team, TrustedBSD Project
robert at fledge.watson.org NAI Labs, Safeport Network Services
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-audit" in the body of the message
More information about the trustedbsd-audit
mailing list